Smartphone user accounts must not be assigned to the default security/IT policy.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-24978	WIR-WMS-GD-007	SV-30819r2_rule	ECSC-1	Medium

Description
The smartphone default security/IT policy on the smartphone management server does not include most DoD required security policies for data encryption, authentication, and access control. DoD enclaves are at risk of data exposure and hacker attack if users are assigned the default (or other non-STIG compliant) security/IT policy.

STIG	Date
Good Mobility Suite Server (Windows Phone 6.5) Security Technical Implementation Guide	2011-10-04

Details

Check Text ( C-31348r2_chk )
User accounts will only be assigned a STIG-compliant security/IT policy. Determine which policy sets on the Good server user accounts have been assigned to using the following procedures: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server by using the following procedures: --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy set on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non STIG-compliant policy sets be deleted except for a "Provisioning" policy set, which is used for initial setup and software update of the Android device. Note: Other checks will be used to verify the policy sets identified as STIG-compliant are configured correctly. Verify all users are assigned to a STIG policy set. --Log into the Good Mobile Control console. --Click on the Handhelds tab. Mark as a finding if any user account is assigned a policy set identified as not STIG-compliant.

Check Text ( C-31348r2_chk )

User accounts will only be assigned a STIG-compliant security/IT policy.

Determine which policy sets on the Good server user accounts have been assigned to using the following procedures:

-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server by using the following procedures:
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy set on the server.

-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non STIG-compliant policy sets be deleted except for a "Provisioning" policy set, which is used for initial setup and software update of the Android device.

Note: Other checks will be used to verify the policy sets identified as STIG-compliant are configured correctly.

Verify all users are assigned to a STIG policy set.
--Log into the Good Mobile Control console.
--Click on the Handhelds tab.

Mark as a finding if any user account is assigned a policy set identified as not STIG-compliant.

Fix Text (F-27619r1_fix)
User accounts will only be assigned a STIG compliant security/IT policy.